[wp-trac] [WordPress Trac] #20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent potential xss and potential broken code.

WordPress Trac wp-trac at lists.automattic.com
Wed Apr 18 16:17:50 UTC 2012 

#20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent
potential xss and potential broken code.
---------------------------+----------------------
 Reporter:  chellycat      |       Owner:
     Type:  defect (bug)   |      Status:  closed
 Priority:  normal         |   Milestone:
Component:  Bundled Theme  |     Version:  3.3
 Severity:  normal         |  Resolution:  invalid
 Keywords:                 |
---------------------------+----------------------
Changes (by nacin):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 :-(

 Please do not post potential security vulnerabilities on Trac.
 http://codex.wordpress.org/FAQ_Security. There is an email address --
 security -at- wordpress.org.

 Thankfully, this is an invalid bug report.

 get_the_author() returns the author's display name. On save, we sanitize
 the display name field by running it through sanitize_text_field() and
 kses. The HTML inside it is safe. (This occurs in sanitize_user_field()...
 we then attach callbacks to pre_user_display_name in default-filters.)

 get_the_author() is *not* safe inside of an attribute, which is probably
 why there is some confusion here. For example:

 `echo '<span title="' . get_the_author() . '">';`

 A display name of `" onclick="alert(0)` will not get sanitized when saving
 the display name — it is valid. But, it does cause problems in an
 attribute. So esc_attr() is necessary in that case.

 > Not sure I understand the connection between the description and the
 patch, since there's no esc_attr() call in that line.

 I imagine chellycat was referring to looking for esc_attr( printf() ) as a
 typo/thinko. This has occurred before, sadly, in Twenty Ten (and Twenty
 Eleven had some similar inconsistencies). But note that in [19582/trunk
 /wp-content/themes/twentyeleven/content-single.php], the escaping proposed
 here was specifically removed.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20476#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list